Communicating Between

Nodes via SSH

SSH is one of the most important tools for a Linux network administrator. It allows
you to connect to servers and other workstations remotely, and work on them from
within your favorite terminal emulatorall from the comfort of your desk. While
66+PLJKWQRWEHWKHSHUIHFWWRROIRUHYHU\VLWXDWLRQLW
VRQHRIWKRVHWKDW\RXZRQ
W
be able to imagine life without, once you start using it.
In this chapter, we explore SSH and cover the following topics:
 Using OpenSSH
 Installing and configuring OpenSSH
 Connecting to network hosts via openssh-client
 7KH2SHQ66+FRQILJILOH
 Understanding and utilizing scp
 7UDQVIHUULQJILOHVWRDQRWKHUQRGHYLDscp
 7XQQHOLQJWUDIILFYLD66+
 Generating public keys
 Keeping SSH connections alive
 Exploring an alternative to SSH utilizing Mosh (mobile shell)

[]

Communicating Between Nodes via SSH

8VLQJ2SHQ66+
SSH, or Secure Shell, is a very handy utility. SSH is not an absolute requirement
for performing tasks in your server room, but it is one of those things that will make
your life a lot easier. With SSH, you are able to execute commands on a different
Linux machine as though you were sitting right there in front of it. Sure, you could
always walk into your server room, grab the keyboard, and start working, but
QRZDGD\VUHPRWHDGPLQLVWUDWLRQLVWKHQDPHRIWKHJDPH7KLVLVHVSHFLDOO\WUXH
LILW
V\RXUWXUQWREHRQFDOODQGDQLVVXHFRPHVXSDWWKHRIFH'HSHQGLQJRQWKH
QDWXUHRIWKHLVVXH66+PD\DOORZ\RXWR[WKHSUREOHPIURPKRPHRUHYHQRQ
\RXUVPDUWSKRQHZLWKRXWKDYLQJWRPDNHWKHWUHNDOOWKHZD\WR\RXUFRPSDQ\
V
VHUYHUURRP7KDW
VQRWDOO66+DOVRDOORZV\RXWRFRS\OHVIURPRQHPDFKLQHWR
another and set up an actual storage mount to a directory on a server, which can be
WUHDWHGRQ\RXUZRUNVWDWLRQOLNHWKHGLUHFWRU\ZHUHDORFDOSDUWRI\RXUOHV\VWHP
7KHFRQFHSWof connecting to a remote host and opening a command shell is not new,
DQG66+LVQRWWKHUVWWRGRLW2WKHUVROXWLRQVVXFKDVWHOQHWRUUORJLQKDYHH[LVWHG
for quite a while. What makes SSH desirable is that it is more secure than earlier
WHFKQRORJLHVDVFRPPXQLFDWLRQLVHQFU\SWHG7KHUHDUHWZRSURWRFROVIRU66+
protocol 1 and protocol 2. Protocol 1 should not be used under any circumstances,
DVLWLVQRORQJHUVHFXUH7UDIFVHQWEHWZHHQWZRKRVWVXWLOL]LQJSURWRFROFRXOGEH
intercepted by an attacker. We will discuss this aspect of SSH in Chapter 9, Securing
Your Network, but for now I want to make sure that you understand that you
VKRXOGQ
WXVHDQ66+FRQQHFWLRQZLWKSURWRFRO<RXVKRXOGQRWRIIHUSURWRFRO
to any of your hosts. Nowadays, protocol 2 is the default.
%\GHIDXOW66+XVHVSRUWWRFRPPXQLFDWH,IWKLVSRUWLVEORFNHGE\DUHZDOO
\RXZLOOQRWEHDEOHWRFRQQHFW7KLVLVH[WUHPHO\FRPPRQLQ:LQGRZVFHQWULF
businesses, since SSH is more common in the Linux/UNIX world. By changing
WKHFRQJXUDWLRQRIWKH66+VHUYHU\RXFDQFRQJXUHLWWROLVWHQRQDQ\SRUW\RX
OLNH:KLOHZHZRQ
WJHWLQWRKRZWRFRQJXUHWKLVMXVW\HWZH
OOGLVFXVVWKLVLQ
Chapter 9, Securing Your NetworkLW
VPHQWLRQHGKHUHEHFDXVHLW
VLPSRUWDQWWR
QRWHWKDW\RXPD\UXQLQWRDVLWXDWLRQZKHUH\RXDUHQ
WDEOHWRFRQQHFWWRDQ
SSH server, for example, when the port is either closed or has been changed
to a different one.
$OWKRXJK,PHQWLRQHGWKDWOHDUQLQJ66+LVQ
WDFWXDOO\UHTXLUHGWRSHUIRUPWDVNVRQ
a server or workstation, it is highly recommended that you spend time to learn it.
1RWRQO\GRFRPSDQLHVWKDWXWLOL]H/LQX[VHUYHUVH[SHFW\RXWRNQRZLW\RXZRQ
W
ZDQWWRPLVVRXWRQLWVDGYDQWDJHV7KDQNIXOO\DVXVHIXODV66+LVLW
VE\QRPHDQV
GLIFXOWWROHDUQ<RXFRXOGHDVLO\OHDUQWKHPRVWEDVLFIXQFWLRQDOLW\LQYHPLQXWHV
or advanced usage within a week.

[ 70 ]

Chapter 3

,QVWDOOLQJDQGFRQJXULQJ2SHQ66+
OpenSSH comes in two pieces, the client application and the server application.
,W
VOLNHO\WKDWWKHFOLHQWDSSOLFDWLRQLVLQVWDOOHGE\GHIDXOWLQ\RXUGLVWULEXWLRQ
7KHFOLHQWDOORZV\RXWRFRQQHFWWRRWKHUQRGHVYLD66+EXWKDYLQJWKHFOLHQWDORQH
GRHVQ
WDOORZRWKHUVWRFRQQHFWWR\RX,I\RXZDQWWRDFFHVVDPDFKLQHYLD66+
that machine must also have the SSH server application installed. Your chosen
GLVWULEXWLRQPD\KDYHWKHVHUYHUDSSOLFDWLRQLQVWDOOHGE\GHIDXOWEXWPRVWGRQ
W
7KLVLVGXHWRVHFXULW\XQOHVV\RXDEVROXWHO\QHHGWRKDYHDQDSSOLFDWLRQUXQQLQJ
DQGOLVWHQLQJIRUFRQQHFWLRQVLWVKRXOGEHDEVHQW7KHIHZHUDSSOLFDWLRQVWKHVPDOOHU
the attack surface someone could use against you.
In Debian, SSH server is an option during the installation process. If selected,
WKHVHUYHUDSSOLFDWLRQRI66+ZLOOEHSUHVHQWDQGZLOOVWDUWE\GHIDXOW7RFKHFN
whether the SSH server package is installed on a Debian system, execute the
following command:
aptitude search openssh-server

,QWKHRXWSXWLIWKHUVWFKDUDFWHULVi, then the package is installed. You can check

whether the sshd service is running with the following command:
ps ax | grep sshd

,IWKHVHUYLFHLVQ
WUXQQLQJ\RXFDQVWDUWLWE\H[HFXWLQJWKHIROORZLQJFRPPDQG
on Debian:
# systemctl start ssh.service

On Debian, you can check the status of the SSH service by executing the
following command:
# systemctl status ssh.service

,ILW
VUXQQLQJWKHRXWSXWVKRXOGLQFOXGHactive (running):
,I\RXUV\VWHPGRHVQ
WKDYHWKH66+VHUYHUSDFNDJHLQVWDOOHG\RXFDQLQVWDOOLWZLWK
the following command:
# apt-get install openssh-server

$IWHU\RX
YHLQVWDOOHGWKHSDFNDJHFKHFNWKHVWDWXVRIWKHVHUYLFHZLWKWKHIROORZLQJ
FRPPDQGWRVHHLILW
VHQDEOHG
systemctl status ssh.service

2WKHUZLVHLWZRQ
WVWDUWDXWRPDWLFDOO\WKHQH[WWLPH\RXERRWWKHPDFKLQH

[ 71 ]

Communicating Between Nodes via SSH

In CentOS, you also use the systemctl command in order to check the status of the
SSH service, though the daemon is named a bit differently:
systemctl status sshd.service

In the previous command in Debian, the service was named ssh.service. In

&HQW26LW
VQDPHGsshd.service. In CentOS, both the client and server packages
for SSH are installed by default, so you should already have them as soon as your
&HQW26V\VWHPQLVKHVLQVWDOODWLRQ,I\RXGRQ
WKDYHWKHSDFNDJHLQVWDOOHGIRUVRPH
reason, you can install it via yum:
# yum install openssh-server

After installation, ensure that the service is enabled by checking the status:
systemctl status sshd.service

If the SSH service is not in an enabled state (start on boot), execute the
following command:
# systemctl enable sshd.service

Now that SSH isLQVWDOOHGRQ\RXUPDFKLQHVZH

UHUHDG\WRVWDUWXVLQJLW

Connecting to network hosts via

openssh-client
For thisH[SHULPHQW\RX
OOQHHGDWOHDVWRQHLinux installation with the SSH server
DFWLYHDQGDQRWKHUZLWKDWOHDVWWKH66+FOLHQWLQVWDOOHG)RUWKHFOLHQW\RX
OOQHHG
to either install the openssh-clients package in CentOS, or the openssh-client
SDFNDJHLQ'HELDQ7KHFOLHQWSDFNDJHIRU66+LVLQVWDOOHGE\GHIDXOWRQERWKVR
\RXVKRXOGQ
WQHHGWRLQVWDOOLWXQOHVVWKHSDFNDJHZDVUHPRYHG)RUWKLVDFWLYLW\LW
GRHVQ
WPDWWHUZKLFKGLVWULEXWLRQLVRQWKHVHUYHURUWKHFOLHQWHQGRIWKHFRQQHFWLRQ
Feel free to mix it up.
Next, all we need is to record the IP addresses of the node we wish to connect to.
5HJDUGOHVVRIWKHGLVWULEXWLRQ\RXVKRXOGEHDEOHWRGLVFRYHUWKH,3DGGUHVVE\
executing the following command:
ip addr show

7RFRQQHFWWRWKDWPDFKLQHYLD66+H[HFXWHWKHssh command against the

IP address of the host. For example, if the host you want to connect to has
an IP address 192.168.1.201, execute the following command:
ssh 192.168.1.201
[ 72 ]

Chapter 3

As long as your username is the same on both sides, that command should ask for
\RXUSDVVZRUGDQGWKHQOHW\RXLQ,I\RXUXVHUQDPHLVGLIIHUHQWRQWKHKRVW\RX
UH
attempting to connect to, add the appropriate username to the command like this:
ssh jdoe@192.168.1.201

With SSH, you can connect to another Linux installation using any username that
exists there, as long as you know the password for it. In fact, depending on how the
GLVWULEXWLRQZDVFRQJXUHGE\WKHYHQGRU\RXPD\HYHQEHDEOHWRORJLQGLUHFWO\
as root. In CentOS, root login is enabled by default. In Debian, root login via SSH is
QRWDOORZHGXQOHVV\RX
UHXVLQJDQ56$NH\ZH
OOGLVFXVVWKLVLQChapter 9, Securing
Your Network$OWKRXJKZH
OOGLVFXVVPRUHDERXWVHFXULW\LQFOXGLQJKRZWRDOORZ
GLVDOORZXVHUVLQWKDWFKDSWHUIRUQRZLW
VLPSRUWDQWWRXQGHUVWDQGWKDWDOORZLQJ
URRWDFFHVVWRDV\VWHPYLD66+LVDYHU\EDGLGHD,KRSHWKDW\RX
OONHHSWKLV
disabled on production servers and workstations. If you wish to disable root access
now, go to the relevant section of Chapter 9, Securing Your Network, and then come
back here.
SSH also allows you to specify a host name rather than an IP address. In fact, host
QDPHVDUHWKHSUHIHUUHGPHWKRGVLQFHLW
VGLIFXOWWRPHPRUL]H,3DGGUHVVHVLI
\RXKDYHDJUHDWQXPEHURIPDFKLQHVLQ\RXUQHWZRUN66+LWVHOIGRHVQ
WUHVROYH
KRVWQDPHVLWUHOLHVRQ'16IRU that. If the DNS server on your network has an A
(address) record for the machine you wish to connect to, you should be able to use
the host name instead of the IP address:
ssh jdoe@chupacabra

,IWKHPDFKLQHGRHVQ
WKDYHD'16HQWU\LQ\RXUQHWZRUNRULI\RXKDYH
\HWWRVHWXSD'16VHUYHUGRQ
WZRUU\:H
OOGLVFXVVVHWWLQJXSRXUYHU\
own DNS (bind) server in Chapter 6, &RQJXULQJ1HWZRUN6HUYLFHV.

Another important aspect of connecting to a host is specifying a port. As mentioned

HDUOLHUWKHGHIDXOWSRUWLV,I\RXGRQ
WVSHFLI\DSRUWWKHQSRUWLVDVVXPHG,I
you need to specify a different port, you can do so with the -pDJDVIROORZV
ssh -p 6022 jdoe@chupacabra

[ 73 ]

Communicating Between Nodes via SSH

After a successful connection, you should have a command prompt to a shell on the
WDUJHWPDFKLQH)URPKHUH\RXFDQLQVWDOOSDFNDJHVPDQDJHXVHUVFRQJXUHWKH
QHWZRUNRUGRDQ\WKLQJHOVHWKDW\RX
GEHDEOHWRGRLI\RXZHUHDEOHWRORJLQWR
the machine in person. Your only limit is whatever permissions your user has to the
V\VWHP,ILW
VDPDFKLQHWKDWEHORQJVWR\RXRURQHWKDW\RXVHWXS\RXUVHOIDQG\RX
know the root password for, you can literally do anything you want. If the machine
belongs to someone else, you might have permission to modify your local home
IROGHURQO\(LWKHUZD\\RXVXFFHVVIXOO\FRQQHFWHGWRDPDFKLQHXVLQJ66+7KH
remaining sections of this chapter, as well as Chapter 9, Securing Your Network, will
expand on this basic knowledge.

7KH2SHQ66+FRQJOH

When XWLOL]LQJ66+IRUWKHUVWWLPHWKH.ssh directory will be created in your home

GLUHFWRU\7KLVGLUHFWRU\FRQWDLQVXVHIXOOHVIRU\RXU66+FOLHQWZKLFKLQFOXGH
known_hosts, id_rsa, and id_rsa.pub once you generate your keys (which we will
GRODWHU:KLOHZHZLOOGLVFXVVWKRVHOHVODWHURQLQWKLVFKDSWHUWKHUHLVDQRWKHU
OHWKDWWKH66+FOLHQWUHFRJQL]HVconfig7KLVOHLVQRWFUHDWHGE\GHIDXOW,I
you create it yourself (following the proper syntax), then SSH will recognize it. So,
what does this configOHGR",I\RXKDYHRQHRUPRUHKRVWVWKDW\RXFRQQHFWWR
IUHTXHQWO\\RXFDQOOWKLVOHZLWKWKHVSHFLFVIRUHDFKKRVWZLWKRXWKDYLQJWR
HQWHUWKHGHWDLOVHDFKWLPH/HW
VORRNDWDQH[DPSOH~/.ssh/configOH
Host icarus
Hostname 10.10.10.76
Port 22
User jdoe
Host daedalus
Hostname 10.10.10.88
Port 65000
User duser
Host dragon
Hostname 10.10.10.99
Port 22
User jdoe

[]

Chapter 3

)RUWKLVOH66+will recognize three hosts straight away: Icarus, Daedalus, and

dragon7KLVLVUHJDUGOHVVRIZKHWKHURUQRWWKHVHPDFKLQHVDUHOLVWHGLQ'16,IZH
were to type ssh icarus and the previous configOHZDVXVHG66+ZRXOGNQRZ
QRWRQO\KRZWRJHWWRLWWKH,3DGGUHVVLVJLYHQLQWKHOHEXW66+ZRXOGDOVRNQRZ
which user and port to use. Even if our username is not jdoe, it will be used for this
FRQQHFWLRQVLQFHLW
VOLVWHGLQWKHOHXQOHVVZHJLYHWKHssh command a different
user in the command string.
,QWKHVHFRQGHQWU\LQRXUVDPSOHOHdaedalus\RX
OOQRWLFHWKDWLWLVDELWGLIIHUHQW
IURPWKHRWKHUV)LUVWWKHSRUWLVGLIIHUHQW)RUDOOWKHRWKHUKRVWVLQWKLVOHWKH
default of 22 is used. But with daedalus, we issue a different port. If we connect
to daedalusYLD66+LWZLOODXWRPDWLFDOO\WU\WKHUHIHUHQFHGSRUW1H[W\RX
OODOVR
notice that the username is different for this host. Even if our local user was jdoe
DQGZHGLGQ
WVXSSO\DGLIIHUHQWXVHUQDPHXVHUduser would be automatically
used instead. We can override this by providing user@ before the host name,
if we wished to.
6LQFHWKLVOHGRHVQ
WH[LVWE\GHIDXOWDOOZHQHHGWRGRLVFUHDWHLWXVLQJDQ\WH[W
editor and save it to the following:
~/.ssh/config

$VORQJDVZHW\SHGLWRXWFRUUHFWO\66+VKRXOGVHHWKHOHDQGDOORZXVWRXVHLW
7KHQZHFDQFUHDWHRXURZQOLVWRIKRVWVLQWKLVOHWRHDVLO\SURYLGHWKHUHTXLUHG
parameters for each, and allow easier access. Go ahead and give it a try in your lab.

Understanding and utilizing scp

SSH actually hasVHYHUDOXVHVLW
VQRWMXVWIRUFRQQHFWLQJRQHPDFKLQHWRDQRWKHU
WKRXJKWKDWLVWKHPRVWSRSXODUXVHFDVH66+DOVRDOORZV\RXWRWUDQVIHUOHVWR
DQRWKHUPDFKLQHRUHYHQWUDQVIHUOHVIURPDUHPRWHPDFKLQHWR\RXUORFDORQH
7KHXWLOLW\WKDWDOORZV\RXWRGRWKLVLVWKHscp (secure copy) command, which is
part of the SSH suite of utilities. Of course, you can alsoWUDQVIHUOHVYLDQHWZRUN
shares, but the beauty of scpLVWKDWLWRIIHUVDQRQWKH\OHWUDQVIHUZLWKQRVKDUH
FRQJXUDWLRQEHLQJQHFHVVDU\7KHscp command is simple and fast. You can transfer
DOHIURP\RXUPDFKLQHWRDQ\ZKHUHRQWKHOHV\VWHPRIDWDUJHWPDFKLQHWKDW\RX
have permission to access.

[]

Communicating Between Nodes via SSH

7KHscp utility is primarily meant for those who need a quick transfer RIDOHDVLW
LVQRWDORQJWHUPVROXWLRQIRUOHDFFHVVDQGVWRUDJH,QDVLWXDWLRQZKHUH\RXQHHG
to create a storage repository that others need to access, you would typically set up
an NFS or Samba share to accomplish the goal. However, scp is a great utility that
ZLOOSURYHYHU\XVHIXOWR\RXZKHQHYHU\RXZDQWWRVLPSO\VHQGDOHWRDQRWKHU
PDFKLQHZLWKRXWFRQJXULQJDQ\WKLQJ

7UDQVIHUULQJOHVWRDQRWKHUQRGHYLDVFS

/HW
Vgive scpDWU\$VZLWKRXUSUHYLRXV66+DFWLYLW\\RX
OOQHHGDWOHDVWWZR
machines: one with the SSH server installed and running, and another with at
OHDVWWKHFOLHQW,QWKLVFDVHWKHGLVWULEXWLRQVKRXOGQ
WPDWWHUDVORQJDV\RXPHHW
WKLVVLPSOHUHTXLUHPHQWV,QDGGLWLRQZH
OOQHHGDOHWRWHVWZLWK7KHOHFDQEH
VRPHWKLQJVPDOOVXFKDVDWH[WOHRULPDJHRUODUJHVXFKDVDQ,62OHIRUD/LQX[
GLVWULEXWLRQ7KHJRDOLVWRWUDQVIHUWKLVOHWRDQRWKHUPDFKLQHXVLQJscp/HW
VVHH
how to do this.
)RUWKHVDNHRIWKLVWXWRULDO,
OORXWOLQHWKHSURFHGXUHIRUDPDFKLQHQDPHGIRRWR
WUDQVIHUDOHWRDPDFKLQHQDPHGEDU
)LUVWOHW
VWDNHDORRNDWDVLPSOHH[DPSOHRIscp:
scp my-image.jpg 192.168.1.200:/home/jdoe/

,QWKDWH[DPSOHZH
YHH[HFXWHGWKHscpFRPPDQGDJDLQVWDOHQDPHGmy-image.
jpg. Next, we outline the target. In this case, a machine with the IP address of
192.168.1.2007KHQZHW\SHDFRORQDQGWKHSDWKZKHUHZH
GOLNHWKHOHWREH
VWRUHG,QWKLVFDVHZHDUHJRLQJWRFRS\WKHOHLQWRWKHKRPHGLUHFWRU\IRUjdoe.
Since we know the name of the target machine (bar), we could use the name of the
machine instead of the IP address, assuming that it is recognized by the DNS server.
,WZDVFRQJXUHGLQ~/.ssh/configRULVDQHQWU\RQIRR
V/etc/hostsOH7KH
command is as follows:
scp my-image.jpg bar:/home/jdoe

:HVLPSOLHGWKHFRPPDQGDELWVLQFHZHNQRZWKHQDPHRIWKHPDFKLQH
$GGLWLRQDOO\ZHGRQ
WKDYHWRW\SHRXWWKHQDPHRIWKHGLUHFWRU\LIZH
UH
LQWHQGLQJWRFRS\WRDXVHU
VKRPHGLUHFWRU\:HFRXOGKDYHVLPSOLHGWKH
command to the following:
scp my-image.jpg bar:.

[ 76 ]

Chapter 3

In the example, instead of typing out /home/jdoe, we replaced the path with a
SHULRG7KLVZRUNVEHFDXVHWKHKRPHGLUHFWRU\LVDVVXPHGXQOHVV\RXJLYHWKH
FRPPDQGDVHSDUDWHSDWK:H
GDOVRJHWWKHVDPHUHVXOWLIZHXVHGDWLOGH~) instead:
scp my-image.jpg bar:~

What if theGDWDZHZLVKWRFRS\LVDQHQWLUHGLUHFWRU\LQVWHDGRIMXVWDVLQJOHOH"
If we try to use the scp command against a directory, it will fail. In order to copy an
entire directory, we need to add the -rDJWKDWSHUIRUPVDUHFXUVLYHFRS\
scp -r my_dir bar:~

Now, the my_dir directory and its contents will be transferred over. Another useful
DJZKHQFRS\LQJOHVLV-pZKLFKSUHVHUYHVWKHPRGLFDWLRQWLPHVZKHQWKHOHLV
copied. If we combine that with the previous command, we get:
scp -rp my_dir bar:~

However, each of these commands will fail if the user name is different on the two
machines. For example, if the logged-on user on foo is dlongDQGWKHXVHUGRHVQ
W
exist on bar, the command would fail because the sending computer would default
to using dlong, the currently logged-on user. In this case, the other computer would
ask you for the password three times, and then give you a message that access is
GHQLHG7KLVLVEHFDXVH\RXZRXOGHVVHQWLDOO\EHW\SLQJDSDVVZRUGIRUDXVHUWKDW
GRHVQ
WH[LVW,IZHQHHGWRVSHFLI\WKHXVHUQDPHIRUWKHWDUJHWWKHFRPPDQGZRXOG
become similar to the following:
scp my-image.jpg jdoe@bar:~

:LWKWKHQHZYHUVLRQRIWKHFRPPDQG\RX
OOEHSURPSWHGIRUWKHjdoe password
DQGWKHQWKHOHZRXOGEHFRSLHGWR/home/jdoe on the receiving end.
As mentioned previously in this chapter, the default port for SSH (port 22) may not
be open on the target, as perhaps it is listening on a different port. With scp, we can
VSHFLI\DGLIIHUHQWSRUW7RGRVRXVHWKH-PDJ1RWHWKDWWKLVLVDQXSSHUFDVHP,
unlike the ssh command that uses a lowercase -p for specifying the port (this can be
VRPHZKDWFRQIXVLQJDWUVWZKHQVZLWFKLQJEHWZHHQssh and scp). For example, this
DJLVDSSHQGHGWRWKHSUHYLRXVFRPPDQG
scp -P 6022 my-image.jpg jdoe@bar:~

[ 77 ]

Communicating Between Nodes via SSH

*RDKHDGDQGJLYHLWDWU\LQ\RXUODE)LQGDOHRIDQ\W\SHDQGDWWHPSWWRWUDQVIHU
it to another Linux machine. If you do this a few times, you should be able to get
the hang of it fairly quickly. Another point of interest in regards to scp is that you
FDQXVHLWWRFRS\DOHRUGLUHFWRU\IURPDUHPRWHPDFKLQHWR\RXUORFDORQHLI\RX
DOUHDG\NQRZWKHSDWKRIWKHOH\RX wish to download. In the last example of this
VHFWLRQ,
PFRS\LQJmyimage.jpg from remote host bar to my current working
directory (which I designate with a period):
scp jdoe@bar:~/myimage.jpg .

7XQQHOLQJWUDIFYLD66+
One of the most useful features of SSH is creating an SSH tunnel. An SSH tunnel
allows you to access services locally that originate from another computer or server.
7KLVDOORZV\RXWRGRVXFKWKLQJVDVE\SDVVORFDO'16OWHULQJRUHYHQDFFHVVDQ
,5&VHUYHUWKDWLVVHJUHJDWHGZLWKLQ\RXUFRPSDQ\IURPKRPH
%HYHU\FDUHIXOZKHQXWLOL]LQJ66+WXQQHOV,I\RXDUHQ
WDEOHWR
access a resource while at work, or a work resource is blocked from
being accessible from outside the network, chances are the network
administrator (if that person is not you) set it up this way for a reason.
When bypassing restrictions or accessing work resources from outside the
network, always ensure you have permission to do so.

,QRUGHUIRUDQ66+WXQQHOWREHHIIHFWLYH\RXUVWQHHGWREHDEOHWRDFFHVV66+
ZKHUHWKHVHUYLFH\RX
GOLNHWRDFFHVVLVKRVWHG,I\RX
UHDEOHWRLQLWLDWHDQRUPDO
66+FRQQHFWLRQWRDQHWZRUNFRQWDLQLQJWKHVHUYLFHFKDQFHVDUHWKDW\RX
OOKDYH
no problem creating a tunnel.
While utilizing SSH to create a tunnel, the command changes a bit. Instead of just
executing the ssh command against a host name or IP address, there are a few more
DJVDGGHG)LUVWZHDGGWKH-LDJ7KLVVHWVXSZKDWLVNQRZQDVDELQGDGGUHVV
ZKLFKEDVLFDOO\PHDQVZHDUHWDNLQJDORFDOSRUWDQGIRUZDUGLQJLWWRDVSHFLFSRUW
on the other end.
7KHV\QWD[IRUVXFKDFRPPDQGVWULQJZRXOGEHVRPHWKLQJOLNHWKLV
ssh -L <local-port>:localhost:<remote-port> <username>@10.10.10.101

[ 78 ]

Chapter 3

Basically, we execute SSH with the -LDJDQGXVHlocalhost since we intend to

forward a local service to a remote one. However, we sandwich the command with a
SRUWDQGDFRORQRQHLWKHUVLGH7KHSRUWRQWKHOHIWKDQGVLGHLVRXUORFDOSRUWDQGRQ
the right-hand side of the IP address, we have a colon and then the remote port. We
WKHQQLVKRIIWKHFRPPDQGZLWKRXUXVXDOV\QWD[WKDWLVZHW\SHRXUXVHUQDPH
and then the IP address of the gateway we will use for the connection.
&RQIXVHG\HW"/HW
VEUHDNWKLVGRZQIXUWKHUDQGXVHDQH[DPSOH
By default, VNC (a graphical remote access program) utilizes ports 5900-5902. If
you wanted to access a desktop environment on a remote host with an IP address
of 10.10.10.101, use the following command:
ssh -L 5900:localhost:5901 jdoe@10.10.10.101

+HUHZH
UHIRUZDUGLQJSRUW5900 on our local machine to port 5901 on
10.10.10.101. As soon as the session connects and is established, we can then
use the following in our VNC viewing application on our local machine to connect
to the VNC service on the remote end:
localhost:5900

Anytime localhost:5900LVXVHGZH
OOEHIRUZDUGHGWRRXUUHPRWHPDFKLQH
7RHQGWKHVHVVLRQH[LWfrom the SSH connection. For VNC, we need to specify
which VNC session to use. In order to use the VNC Viewer application to open
a VNC session to 10.10.10.101, we would execute the following command:
vncviewer localhost:1

However, what if the machine or service we wish to connect to is behind a different

JDWHZD\"7KHSUHYLRXVH[DPSOHRQO\ZRUNVLIWKH,3DGGUHVV10.10.10.101, is
routable through the Internet, or we are actually on the same network as the resource
ZHZLVKWRFRQQHFWWR7KLVLVQRWDOZD\VWKHFDVHDQGJHQHUDOO\XVHIXOVHUYLFHVDUH
QRWH[SRVHGGLUHFWO\WRWKH,QWHUQHW)RUH[DPSOHLI\RX
UHDWKRPHDQG\RXZLVKWR
connect to the remote desktop protocol on a computer in your work network, the
SUHYLRXVH[DPSOHZRXOGQ
WZRUN
,QWKLVH[DPSOHDWWKHRIFHZHKDYHDFRPSXWHUZLWKDUHPRWHGHVNWRSH[SRVHG
with an IP address 10.10.10.60:HFDQ
WJHWWRWKLVPDFKLQHGLUHFWO\IURPKRPH
because it is not routable through the Internet. However, we just so happen to have
a server at work that actually, is exposed to the Internet with an outside IP address
66.238.170.50. We are able to SSH directly into that machine from home, but host
10.10.10.60 is further within that network.

[]

Communicating Between Nodes via SSH

Here, we can utilize host 66.238.170.50 to facilitate our connection to 10.10.10.60

LQVLGHRXUZRUNQHWZRUN/HW
VORRNDWDFRPPDQG
ssh -L 3388:10.10.10.60:3389 jdoe@66.238.170.50

In this example, jdoe has a user account on host 66.238.170.50 and wishes to
connect to host 10.10.10.60, which is inside her company network. In this example,
jdoe is forwarding local port 3388 on localhost to port 3389 on host 10.10.10.60,
but establishing the connection through host 66.238.170.50. Now, user jdoe is
able to open a remote desktop client and use the following command for the
connection address:
localhost:3388

As long as the SSH connection remains open, jdoe will then be able to utilize
a remote desktop on the server from her local computer. If the shell is closed,
then the connection will terminate.
Using SSH tunnels can be very useful. Feel free to give it a try and see which services
you can forward through your network.

Generating public keys

SSH also supports public key authentication, in addition to traditional passwords,
which is more secure. While the encryption that SSH employs using protocol 2 is
VWURQJWKHJUHDWHVWHQFU\SWLRQLQWKHZRUOGZRQ
WVDYH\RXLI\RXUSDVVZRUGLV
OHDNHGRUEUXWHIRUFHG7KLVLVHVSHFLDOO\FDWDVWURSKLFRQDPLVVLRQFULWLFDOVHUYHU
Utilizing public key authentication allows you to connect to a host using a private
and public key relationship, instead of using a password. By default, SSH will allow
a user to log in via either the username/password combination or a username / key
SDLUFRPELQDWLRQ7KHUVWPHWKRGLVRQO\DVVHFXUHDVWKHSDVVZRUG%\XWLOL]LQJ
public key authentication, you can bypass the need for a password completely,
and connect to a server without being prompted. But if a server still accepts your
password as a means of authentication, then public key authentication is not at its
strongest point.
2QWKHVHUYHUHQGRIWKH66+FRQQHFWLRQLWLVSRVVLEOHWRFRQJXUHLWWRDFFHSW
authentication only from a public key, rather than password. If password
authentication is disabled, then no one would be able to brute force the password
DQGJHWLQWRWKHVHUYHUVLQFHWKHSDVVZRUGZRXOGEHLJQRUHG,IWKHDWWDFNHUGRHVQ
W
have access to the private key, then he or she would not be able to connect.

[ 80 ]

Chapter 3

Generating a key pair is simple using the ssh-keygen command, which will guide
you through the process of setting up your keys. During this process, you will be
asked to create a passphrase. You could, if you wanted to, disregard this prompt
and simply press Enter to create a key without a passphrase. Doing so, however,
drastically lowers the security of that key. While it is certainly much more convenient
WRQRWKDYHWRW\SHDQ\WKLQJDWDOOZKHQFRQQHFWLQJWRDKRVWYLD66+LW
VGHQLWHO\
UHFRPPHQGHGWRXVHDSDVVSKUDVHDQGEHQHWIURPWKHDGGHGVHFXULW\
:LWKSXEOLFNH\DXWKHQWLFDWLRQWZROHVDUHFUHDWHGLQWKHXVHU
VKRPHGLUHFWRU\

id_rsa and id_rsa.pub7KHVHOHVDUHFUHDWHGZKHQ\RXUXQWKURXJKWKHSURFHVV

while executing ssh-keygen, mentioned earlier. After the command completes, these
WZROHVVKRXOGEHORFDWHGLQWKH.sshGLUHFWRU\RI\RXUKRPHGLUHFWRU\7KHid_rsa

OHLV\RXUSULYDWHNH\<RXVKRXOGNHHSLWORFDODQGQRWWUDQVPLWLWRUVKDUHLWLQ
DSXEOLFSODFH7KHid_rsa.pubOHLV\RXUSXEOLFNH\ZKLFK\RXFDQVDIHO\FRS\
to other hosts that you connect to. From that point forward, you will be able to use
public key authentication to connect to another host.
/HW
VVXPPDUL]HWKHHQWLUHSURFHVV)LUVWZKLOHORJJHGLQWR\RXUORFDORUPDLQ
machine, execute ssh-keygen and walk through the steps. Make sure to create a
passphrase for added security.

Creating a key pair for SSH using ssh-keygen

Next, utilize the ssh-copy-id command in order to copy your key to the remote
VHUYHU\RXZLVKWRFRQQHFWWR7KHFRPPDQGV\QWD[LVDVIROORZV
ssh-copy-id -i ~/.ssh/id_rsa.pub <remote host IP or name>

[ 81 ]

Communicating Between Nodes via SSH

7KLVFRPPDQGZLOOFRS\\RXUSXEOLFNH\LQWRWKHauthorized_keysOHXQGHU\RXU
~/.sshIROGHURQWKHWDUJHWPDFKLQH7KLVOHVWRUHVDOOWKHNH\VWKDWWKHPDFKLQH
knows about. If you were to check before and after running through the ssh-copyidSURFHVV\RX
GQRWLFHWKDWWKHauthorized_keysOHRQWKHWDUJHWHLWKHUGLGQ
W
H[LVWRUGLGQ
WLQFOXGH\RXUNH\XQWLODIWHU\RXH[HFXWHGWKHFRPPDQG

Copying a public key to a remote host using ssh-copy-id

$VPHQWLRQHGHDUOLHULWLVSRVVLEOHWRFRQJXUH\RXUFRPSXWHURUVHUYHUWRGLVDOORZ
DXWKHQWLFDWLRQYLDSDVVZRUGRQO\DOORZLQJSXEOLFNH\DXWKHQWLFDWLRQLQVWHDG7KLV
portion will be discussed further in Chapter 9, Securing Your Network)RUQRZLW
V
important to get in the habit of generating, copying, and using keys. Feel free to
create a key pair on your local machine and copy the public key to a server that
you frequently connect to.

.HHSLQJ66+FRQQHFWLRQVDOLYH

Depending RQKRZ\RXU66+VHUYHURULQWHUQDOUHZDOOVDUHFRQJXUHG\RXU66+
VHVVLRQPD\DXWRPDWLFDOO\GLVFRQQHFWDIWHUVRPHWLPH,W
VSRVVLEOHWRFRQJXUH66+
to send a special packet every certain number of seconds, to keep the connection
IURPLGOLQJDQGEHFRPLQJDFDQGLGDWHIRUGLVFRQQHFWLRQ7KLVLVXVHIXOLI\RXKDYH
DVHUYLFHWKDWXWLOL]HV66+WKDW\RXGRQRWZDQWWREHGLVFRQQHFWHG7RHPSOR\WKLV
WZHDNZHPXVWFRQJXUHWKHServerAliveInterval setting.
7KHUHDUHWZRZD\VRIFRQJXULQJWKLVRQHWKDWDIIHFWV\RXUXVHUDFFRXQWDQG
DQRWKHUWKDWZLOOGHSOR\WKHVHWWLQJV\VWHPZLGH)LUVWOHW
VH[SORUHKRZWRFRQJXUH
this for your user account.

[ 82 ]

Chapter 3

5HPHPEHUWKH~/.ssh/configOHWKDWZHFRQJXUHGHDUOLHULQWKLVFKDSWHU"2SHQLW
XSDJDLQLQ\RXUWH[WHGLWRU+HUH
VDVDPSOHRIWKLVOHIRU\RXUFRQYHQLHQFH
Host icarus
Hostname 10.10.10.76
Port 22
User jdoe
Host daedalus
Hostname 10.10.10.88
Port 65000
User duser
Host dragon
Hostname 10.10.10.99
Port 22
User jdoe

$VEHIRUHZHKDYHWKUHHV\VWHPV,IZHZLVKWRFRQJXUHDKRVWIRUH[DPSOH
icarus, to send an alive packet once every 60 seconds, we can add the following
setting to it:
Host icarus
ServerAliveInterval 60
Hostname 10.10.10.76
Port 22
User jdoe

If we wish to set the ServerAliveInterval setting for all hosts we connect to,
we could add this option as a wildcard instead by adding the following to the
WRSRIWKHOH
Host *
ServerAliveInterval 60

[ 83 ]

Communicating Between Nodes via SSH

With this, the setting takes effect for all systems we initiate a connection to. Although
ZHKDYHQ
WGLVFXVVHGWKHP\HWWKHUHDUHWZRV\VWHPZLGHJOREDOFRQJXUDWLRQ
OHVIRU66+:H
OOGLVFXVVWKHVHOHVODWHULQWKLVERRNEXWWKHVXEMHFWRIWKLVVHFWLRQ
is an opportunity to give you a quick introduction:
 /etc/ssh/ssh_config7KLVILOHZLOOLPSDFWDOOXVHUVZKRPPDNHRXWERXQG
FRQQHFWLRQV7KLQNRIWKLVDVWKHFOLHQWFRQILJXUDWLRQILOH
 /etc/ssh/sshd_config7KLVLVWKHJOREDOFRQILJILOHIRUWKHVHUYHU
$Q\WKLQJ\RXFRQJXUHLQRQHRIWKHVHWZROHVZLOOLPSDFWDQ\RQH7KHssh_
configOHLPSDFWVDOORXWERXQGFRQQHFWLRQVDQGWKHsshd_config impacts all the
LQFRPLQJFRQQHFWLRQV)RUWKLVVHFWLRQWKHOHZH
UHLQWHUHVWHGLQLVWKHssh_config
OHVLQFHZHFDQVHWWKHServerAliveInterval setting for all users by including it
WKHUH,QIDFWUHJDUGOHVVRIZKHWKHUZH
UHFRQJXULQJ/etc/ssh/ssh_config or the
local ~/.ssh/configOHWKHRSWLRQLVWKHVDPH6LPSO\DGGLWWRWKHHQGRIWKHOH
ServerAliveInterval 60

2IFRXUVHZH
OOH[SORUHFRQJXULQJWKHVHRSWLRQVIXUWKHUODWHURQLQWKLVERRN
)RUQRZMXVWUHPHPEHUWKHSXUSRVHRIWKHVHWZROHVDQGZKHUHWKH\
UHORFDWHG

([SORULQJDQDOWHUQDWLYHWR66+XWLOL]LQJ
0RVKPRELOHVKHOO
While starting out with SSH, you might notice one quirk right away: if your network
FRQQHFWLRQGURSVLWFDQEHGLIFXOWWRUHJDLQFRQWURORIZKDW\RXZHUHGRLQJRQ
WKHPDFKLQH\RXZHUHFRQQHFWHGWR7KLVLVHVSHFLDOO\FRPPRQZLWKODSWRSVDV
your connection state on such a device will change depending on where you are
RUZKDWQHWZRUN\RX
UHFRQQHFWHGWR:KLOHUXQQLQJFRPPDQGVZLWKLQDWHUPLQDO
PXOWLSOH[HUVXFKDVWPX[RUVFUHHQFDQNHHS\RXUZRUNRZDOLYHHYHQDIWHU
disconnecting, there is an alternative to SSH that may work for you. Mosh (mobile
shell) is an alternative to SSH that will keep your remote session alive, even if you
disconnect from the network where the resource resides. When you reconnect to the
network, Mosh will allow you to pick up where you left off.
Installing Mosh in Debian is extremely easy. Simply install the mosh package, as it is
available from within the default repositories:
# apt-get install mosh

[]

Chapter 3

,Q&HQW260RVKLVQRWDYDLODEOHIURPWKDWGLVWULEXWLRQ
VGHIDXOWUHSRVLWRULHV
VR\RX
OOUVWQHHGWRDGGDQDGGLWLRQDOUHSRVLWRU\LQRUGHUWRPDNHLWDYDLODEOH
First, enable the EPEL repository with the following command:
# yum install epel-release

7KHQ\RXVKRXOGEHDEOHWRLQVWDOOWKHmosh package:
# yum install mosh

In order for Mosh to be effective, you will need to install it not only on your local
PDFKLQHEXWDOVRDQ\PDFKLQHV\RXZLVKWRFRQQHFWWR7KHV\QWD[LVVLPLODUWR66+
mosh jdoe@10.10.10.101

Like SSH, we can supply the -pDJWRVSHFLI\DGLIIHUHQWSRUWWRXVH

mosh -p 2222 jdoe@10.10.10.101

In fact, Mosh actually utilizes SSH to initiate the connection, and then the mosh
program takes over from there. After you connect, you can simulate a disconnect
by removing your network cable or disconnecting from your wireless access point.
You will notice that the next time you connect using mosh, your session should be
MXVWDV\RXOHIWLW7RVHHWKHPDJLFLQDOOLWVJORU\FRQVLGHUVWDUWLQJDSURFHVVVXFKDV
running the top command) before disconnecting.
While there are many ways to keep processes running on a remote server even when
your session is disconnected, Mosh is one of the newer and more unique solutions.
Give it a try!

Summary
In this chapter, we discussed SSH in all its glory. We started off with a discussion
RIZKDW66+LVDQGZK\LW
VXVHIXODQGWKHQZHHQVXUHGLWZDVLQVWDOOHGRQRXU
systems. Using SSH, we were able to connect to other Linux machines and execute
FRPPDQGV:HDOVRWRRNDORRNDWFRQJXULQJKRVWVLQWKH~/.ssh/configOHDQG
WUDQVIHUULQJOHVIURPRQHKRVWWRDQRWKHUXVLQJscp. In addition, SSH tunneling was
GLVFXVVHGDVZHOODVDQLQWURGXFWLRQWRSXEOLFNH\DXWKHQWLFDWLRQ:HQLVKHGWKH
chapter with a look at Mosh, which is a neat alternative to SSH.
,QWKHQH[WFKDSWHUZH
OOWDFNOHOHVKDULQJE\VHWWLQJXSRXUYHU\RZQOHVHUYHU
:H
OOVHWXSOHVKDUHVYLD6DPEDDVZHOODV1)6DVZHOODVWKHLQGLYLGXDOTXLUNVRI
each solution. See you there!

[]